Changes to Cybersecurity Requirements for Defense Contractors

After months of internal review, the Department of Defense announced it will make significant changes to the Cybersecurity Maturity Model Certification (CMMC) program, now called CMMC 2.0. Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM). These changes were met with oppositions from some stakeholders [https://cmmcinfo.org/2021/11/05/analysis-of-cmmc-2-0/] who argue that these changes are counter to DoD policies and President Biden’s recent Executive Orders increasing cybersecurity reporting requirements for businesses. AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DOD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance. AGC will continue to follow this issue and will update members as development grows. For more information, contact jordan.howard@agc.org or (703) 837-5368.